| ID | TBSA-024-101 |
| DATE ISSUED | 2024-02-23 |
| ISSUE | Unquoted service path vulnerability in Tosibox Key software for Windows. |
| STATUS | Fixed |
| RISK LEVEL | High |
| FIX | The new version (3.3.1) of Tosibox Key for Windows has been released and is available as software update. |
| ACTION REQUIRED | Customers are advised to upgrade to the latest version at their earliest convenience. |
Tosibox was informed about the issue in Tosibox Key software that could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
Tosibox would like to thank Gjoko Krstic from Zero Science Lab for reporting this vulnerability under responsible disclosure.